@mattab opened this Issue on December 17th 2019 Member

As reported by @Findus23

Not really a vulnerability in itself, but also not secure and might cause issues if someone uses the function without checking in the future. Therefore, I want to document it here.

The function generateSecureHash here is really not secure:

https://github.com/matomo-org/matomo/blob/e92247972a99092eb300bcbc163492542017d1b5/plugins/Login/PasswordResetter.php#L305

It hashes the string with $this->hashData which again calls Common::hash which uses the whirlpool hash which is fast and not intended for cryptographic use cases.

The splitting of data is just distraction as with 50000000 Hashes per second on a simple GTX 1060 Ti there is no need to store rainbowtables.

I guess there is no reason to not use the secure slow hashes used for passwords also for password reset tokens.

Powered by GitHub Issue Mirror